CVE-2026-44942 libzypp .repo files can have an optional path which can lead to path traversal attacks

🗓️ 18 Jun 2026 09:57:12Reported by suseType

CVE-2026-44942: libzypp path traversal in .repo files enables writes outside the zypp cache.

Reporter	Title	Published	Views	Family All 12
ATTACKERKB	CVE-2026-44942	18 Jun 202609:57	–	attackerkb
Circl	CVE-2026-44942	18 Jun 202612:14	–	circl
CVE	CVE-2026-44942	18 Jun 202609:57	–	cve
EUVD	EUVD-2026-37871	18 Jun 202609:57	–	euvd
NVD	CVE-2026-44942	18 Jun 202614:17	–	nvd
OPENSUSE Linux	libzypp-17.38.13-1.1 on GA media (moderate)	11 Jun 202600:00	–	opensuse
OSV	OPENSUSE-SU-2026:10984-1 libzypp-17.38.13-1.1 on GA media	9 Jun 202600:00	–	osv
OSV	SUSE-SU-2026:22064-1 Security update for libzypp	9 Jun 202615:16	–	osv
OSV	SUSE-SU-2026:22073-1 Security update for libzypp	9 Jun 202613:37	–	osv
Positive Technologies	PT-2026-48598	9 Jun 202600:00	–	ptsecurity

[
  {
    "vendor": "SUSE",
    "product": "libzypp",
    "packageName": "libzypp",
    "repo": "https://github.com/opensuse/libzypp",
    "modules": [
      "repo parsing"
    ],
    "versions": [
      {
        "status": "affected",
        "version": "17.0.0",
        "lessThan": "17.38.13",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "0",
        "lessThan": "16.22.19",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
bugzilla	www.bugzilla.suse.com/show_bug.cgi
suse	www.suse.com/security/cve/CVE-2026-44942.html

18 Jun 2026 09:57Current

CVSS 3.16.5

CWE-24